The latest EDri-gram

*About a 6.5 on the EDRi indignation scale.

======================================================================

EDRi-gram

fortnightly newsletter about digital civil rights in Europe

EDRi-gram 13.18, 23 September 2015

Read online: https://edri.org/edri-gram/13-18/

1. Germany dreams of security: An ID for every “thing” connected
2. EU Parliament's “radicalisation” draft report – lost in translation
3. State of play of Internet freedom in the Netherlands
4. Germany: The secret service's 300-million-euro surveillance plan
5. AVG starts selling personal data to third parties
6. Generali, the health insurer who wants to know everything about you
7. Two Danes arrested for publishing information about Popcorn Time
8. ENDitorial: EU Commission ISDS proposal - a threat to democracy
9. Recommended Action
10. Recommended Reading
11. Agenda
12. About

New infrastructures often resemble untapped oil sources – everyone tries
to get in as early as possible in order to grab the biggest share. The
German newspaper Die Zeit Online revealed in September that a chip
manufacturer has apparently been going to great lengths to ensure a
large share of the growing market of the “Internet of things”.

The Dutch company NXP lobbied the German Ministry for Economic Affairs
to push for the introduction of unique identifiers for every “thing”
connected to the Internet. NXP is one of Europe's biggest semiconductor
manufacturers and specialises in the production of identification
hardware, such as security chips that are used in electronic ID cards
and passports. In the market for chips, this is rather a tiny part – but
Die Zeit suspects that the company now wants to use its lobbying skills
to grow this market and to conquer it.

According to an investigation conducted by the newspaper, the German
Ministry for Economic Affairs was already en route to transform the
Internet for things into a big surveillance infrastructure. The idea of
the manufacturer is that every “thing” that is connected to the
internet, such as fridges, central heatings, laptops, cars etc., should
be equipped with a chip that makes it uniquely identifiable. This would
then function as some sort of a digital ID card for every single device
connected to the Net.

A draft “identity security law” is supposed to provide the legal
framework in the country for this infrastructure. Currently, the details
only exist in form of a “key issues paper”, a type of document which
often serves as a basis for draft laws. Die Zeit's article seems to be
based on this 15-page long internal paper called “identity security law
for the Internet of Things”.

The newspaper also reports on a meeting between Ministry of the Economy,
Sigmar Gabriel, and representatives of NXP. During the meeting, Gabriel
was successfully convinced to support the measure. The key issues paper
drafted by NXP was then circulated internally in the Ministry and in
other companies in order to discuss the paper.

The paper was criticised by civil society, opposition parties and
industry representatives. Harald Summa, head of the Association of the
German Internet Industry eco, stated that the chip would be a huge
barrier to innovation and counter-productive for Germany's information
technologies future.

Frank Rieger, spokesperson of the German EDRi-member Chaos Computer Club
Chaos stated:
The text attempts to use the security problem of some components of the
internet of things as a springboard for a universal governmental device
ID, which would be a surveillance nightmare. Moreover, this does not fix
the actual problem: the software of the devices on the internet of
things are as poor as in our computers and cell phones. One should start
here in order to change market dynamics to increase security.

Zeit Online, An ID card for every toaster? (only in German, 17.09.2015)
http://www.zeit.de/digital/internet/2015-09/internet-sicherheit-identitaet-nxp/komplettansicht

(Contribution by Kirsten Fiedler, EDRi)

The European Parliament is currently working on a non-binding Resolution
on terrorist “radicalisation”. As is usual with such instruments, little
attention is being paid to the initiative, because it is not binding
legislation. Nonetheless, it will be a formal position of the European
Parliament, and it's important that the outcome will show adequate
concern for fundamental principles of European law and values.

In the initial draft, the Parliamentarian in charge, French conservative
Rachida Dati, proposed a rather strict wording regarding internet
intermediaries. She suggested in particular that Member States should
consider criminal sanctions in cases where “internet giants” do not
react to “circulation of illicit messages that defend terrorism” (in
French: “diffusion de messages illicites et faisant l'apologie du
terrorisme”) on their online platforms. Although “illicit” and “illegal”
are not synonymous in all EU countries, the word “illicit” in the draft
report appears to be used as a synonym for “illegal”, as an intermediary
could hardly be held criminally liable for something that is not illegal.

However, the formal English translation from the European Parliament
changed this to “illicit messages or messages praising terrorism on
their internet platforms”. The word “or” creates an entirely new
meaning. The suggestion would now be that “internet giants” would be
held liable for failing to act in relation to illicit (illegal) content,
but also in relation to content which is legal in some Member States.

What happened next was surprising. Instead of asking how Ms Dati was
suggesting making internet companies criminally liable for material
which was not illegal (which she originally was not), Parliamentarians
from across the political spectrum tabled amendments which left this
text unchanged. Not one single voice was raised in relation to the
various mistranslations (such as into German, Finnish and English)
before the amendments were tabled. With English being the lingua franca
in the European Parliament, the discussions simply took over this new
and legally incoherent meaning.

Ms Dati, bending to the apparent will of the majority of Members of the
European Parliament (MEPs), who proposed amendments based on the English
mistranslation, has now proposed a compromise text for approval by the
other political groups. The proposed compromise suggests that the
European Parliament “believes that the Member States should plan for the
possibility of bringing criminal prosecutions against digital operators
who do not take action in identifying and deleting manifestly illegal
messages or messages praising terrorism on their internet platforms”.
Ironically, while suggesting that internet companies be coerced, by the
threat of criminal prosecution, into arbitrarily deleting legal content,
the compromise also says that this should happen “with full respect for
the rule of law, fundamental rights and the freedom of expression”. How
would that be possible in practical terms?

Civil Liberties Committee Draft Report (FR) on prevention of
radicalisation and recruitment of European citizens by terrorist
organisations (2015/2063(INI)) (01.06.2015)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-551.968%2b01%2bDOC%2bPDF%2bV0%2f%2fFR

Civil Liberties Committee Draft Report (EN) on prevention of
radicalisation and recruitment of European citizens by terrorist
organisations (2015/2063(INI)) (01.06.2015)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-551.968%2b01%2bDOC%2bPDF%2bV0%2f%2fEN

EDRi-gram: European Parliament – translating freedoms into Chinese
(29.07.2015)
https://edri.org/enditorial-european-parliament-translating-freedoms-into-chinese/

(Contribution by Joe McNamee, EDRi)

Dutch EDRi member Bits of Freedom is diligently watching a set of broad
tendencies, such as the dominant positions of a handful of tech giants,
the Internet of Things, and the idea that technology cannot be neutral.
Bits of Freedom is also working hard to prevent the occurrence of a
number of very real threats to your internet freedom. Here's an update
on three topics currently debated in the Netherlands.

The dragnet for the Dutch secret service

On 2 July 2015, Minister of the Interior Ronald Plasterk published a
bill for a new Intelligence and Security Services Act. This bill will
give the most far-reaching power to the intelligence and security
services to tap citizens' communications, not only listen to their
telephone conversations, but also to monitor chat and email messages, as
well as the websites visited. It's true that the current Intelligence
and Security Services Act already allows the security services to tap
specific individuals for monitoring purposes, but the new law would
allow them to collect such data in bulk. This way innocent people would
end up in the dragnet, too.

Another problem concerning this bill is that the exchange of data with
foreign security services will not be limited. This means that the data
collected can be handed over to other intelligence and security services
without the Dutch security service even knowing the content of the
dataset they provide.

Finally, there's no independent, legally binding oversight. If the
oversight committee concludes that the minister has unjustly allowed the
application of such a dragnet, the minister can simply overrule the
oversight committee, he can only be held accountable by Parliament.
Oversight over intelligence and security services should not be left to
politicians, because this gives politicians power without any
counterbalancing transparency or accountability.

Reintroduction of data retention law

On 11 March 2015, the Dutch data retention law was thwarted by a ruling
of the District Court of The Hague. Under that law, everybody's location
and communication behaviour would have been stored for up to a year,
which would have had a massive impact on our freedom. Unfortunately the
minister of Security and Justice, Ard Van der Steur, has already
indicated that he will introduce a new data retention bill.

Hacking Criminal Investigation Departments

Van der Steur also wishes to grant the Dutch law enforcement the power
to hack citizens' computers and other device, such as tablets and
smartphones. Ironically this will only make the Dutch internet user more
unsafe. Imagine the police has the ability to enter a suspect's Outlook
via a existing vulnerability in the software. The police would then want
that vulnerability to remain open a little longer, rather than getting
it fixed as soon as possible. Unfortunately, the police isn't the only
party that can use this vulnerability to get access. So that will mean
that all other Outlook users are vulnerable to cyber criminals too.

Demystifying the algorithm: Who designs your life? (26.06.2015)
https://www.bof.nl/2015/06/26/demystifying-the-algorithm-who-designs-your-life/

EDRi-gram: Dutch Minister of the Interior reveals plans for dragnet
surveillance (15.07.2015)
https://edri.org/dutch-minister-reveals-plans-for-dragnet-surveillance/

Data retention law struck down - for now (11.03.2015)
https://www.bof.nl/2015/03/11/data-retention-law-struck-down-for-now/

How your innocent smartphone passes on almost your entire life to the
secret service (30.07.2014)
https://www.bof.nl/2014/07/30/how-your-innocent-smartphone-passes-on-almost-your-entire-life-to-the-secret-service/

Dutch government: Let’s keep data retention mostly unchanged (16.12.2014)
https://www.bof.nl/2014/12/16/dutch-government-lets-keep-data-retention-mostly-unchanged/

Dutch hacking proposal puts citizens at risk (2.05.2013)
https://www.bof.nl/2013/05/02/dutch-hacking-proposal-puts-citizens-at-risk/

(Contribution by Daphne van der Kroft, EDRi member Bits of Freedom, The
Netherlands - translation into English by Jay Achterberg)

This is a shortened English version of the German article originally
published by Andre Meister on Netzpolitik.org. Translation and changes
by Ulf Buermeyer, Kirsten Fiedler, and Nikolai Schnarrenberger.

Fiberglass surveillance, scanning of Internet traffic in real time,
cracking encryption, hacking computers: Germany’s foreign intelligence
agency ”Bundesnachrichtendienst” (BND) is massively expanding its
internet surveillance capabilities. On 21 September, the German blog
Netzpolitik.org published the classified 300 million euro investment
programme ”Strategische Initiative Technik” (Strategic Initiative
Technology – SIT). Members of the German Bundestag and civil society
have criticised the agency’s new powers and demand an end of the programme.

In May 2014, shortly after the German Parliament’s US National Security
Agency (NSA) inquiry committee began its work, German media reported
that the BND was investing in a 300 million euro programme called
”Strategic Initiative Technology” (SIT). The official timetable of the
BND indicates that in 2014, preparations for the launch of SIT were
undertaken. The actual launch of the programme is under way right now.

In the document, it is explained that:
With its technical modernisation programme, the BND intends to respond
to the technological developments as indicated. The last technical
modernisation programme ran out in 2008, and subsequent single measures
could not prevent an investment backlog which has grown huge by now.

It is not entirely clear what kind of ”technical modernisation” expired
in 2008. The operation Eikonal, the joint initiative of BND and NSA to
route and scan internet traffic massively at the Telekom in Frankfurt
terminated in 2008, as we know. At that time, the BND received hardware
and software from the NSA, while the BND offered access to the Internet
node DE-CIX in Frankfurt: surveillance technology in exchange for data.
But the NSA wanted more spying capabilities than the BND initially
intended to grant. Therefore, 38 000 selectors were allegedly used,
which officially violate ”German and European interests”. As a result,
the BND stopped the transfer to the NSA to end the project.

The BND now wants to be able to perform wiretapping on its own. The
Snowden revelations about skills and financial resources of the
Five-Eyes Intelligence Services, an intelligence alliance comprising
Australia, Canada, New Zealand, the United Kingdom, and the United
States, aren’t seen as a warning but rather transformed into a wish-list
for the BND: The German agency wants to play ”on an equal level with the
western partner services”:
The BND's plans are in synchronicity with those of other intelligence
services. To avoid losing important intelligence capabilities and to
encounter novel security threats, our partner countries have made
substantial investments in their intelligence services. The US has
gradually increased the NSA budget by more than fifty percent to nearly
eleven billion dollars since 2004. The main partners in Europe, France
and the UK, invested several hundred million euro in technical
modernisation programmes since 2009 and 2011 (500 million euro,
respectively 650 million pounds sterling) and significantly increased
the budget of its intelligence services step by step in the last few
years. If the BND can not keep its capabilities in step with the state
of the art, it is endangered to fall back behind countries like Italy or
Spain, causing negative consequences for the knowledge exchange within
the Community and the risk of isolation.

The technical wish-list as requested by the BND is divided into five areas:

1. SIGINT (Signal Intellicence): Similarly to the intelligence services
   of the Five Eyes, the BND invests a major part of its resources in
   ”signals intelligence” (SIGINT). BND explains that ”technical
   intelligence“ can only be ”the cornerstone of a modern and efficient
   Federal Intelligence Service, aligned to future challenges”. The search
   for “a needle in a haystack” is only successful if the search is carried
   out in a targeted manner and in real-time.
2. Internet operation skills (CYBER) are to be increased. The technical
   possibilities to explore the Internet as a public information space are
   used extensively for the investigation of communications and content
   that are directed against Germany.
3. In the field of sensor technology, technological progress is used for
   the investigation of atomic, biological and chemical etc. weapons on
   mission areas.
4. The increasing use of biometrics and the consequent risk of human
   intelligence (HUMINT) operations are to be responded with new methods
   and systems.
5. With the expansion of integrated data analysis (AIDA) programme, new
   kinds of analytic tools will be put in place. According to the BND,
   traditional intelligence methods are ”not up to the new requirements
   both in terms of the amount of data, and to the content of the
   individual particles”. Therefore, the BND wants to develop new
   approaches to monitor social media.

Data protection experts criticised the programme, in particular the
plans for AIDA, and believe that the storage and processing of
self-published data represents a new designated use, which needs a new
legal basis. Despite this uncertain legal situation, the BND is moving
ahead with the project and has commissioned a feasibility study.
According to the BND documents, this study should include the ”launch of
the observation and analysis of selected information channels” – i.e.
the observation of social networks such as Facebook and blogs. These
should be analysed ”with regard to simple, defined issues”. The result
is to be ”incorporated into the production process of the BND and be
evaluated there“.

Netzpolitik.org: Strategic Initiative Technology: We Unveil the BND
Plans to Upgrade its Surveillance Technology for 300 Million Euros
(23.09.2015)
https://netzpolitik.org/2015/strategic-initiative-technology-how-bnd-wants-to-ramp-up-its-tech-capabilities-for-300-million-euros/

The Czech Republic based security software vendor AVG Technologies
recently updated its privacy policy. The objective of the changes,
according to the company, was to explain in a more transparent manner to
their users how it intends to use what it calls ”non-personal
information”. The new privacy policy will take effect on 15 October 2015.

The company defines “non-personal data” as data that cannot be linked to
the identity of users in any way. The new privacy policy explains that
the company might collect and sell this information to third parties, to
allow their anti-virus product to stay free or charge to the users. AVG
also notes that it might anonymise and aggregate data that could
otherwise identify individual users. The text assures that the company
does not sell or rent its clients' personal data to third parties, but
the next paragraph warns that certain personal data may be shared with
any of their “affiliated AVG companies, search providers, selected AVG
resellers, distributors and other partners”.

The changes for the final user are not significant from the previous
version of AVG's privacy policy which stated that the company could
collect data on “the words you search”, but did not make it clear
whether browser history data could also be collected and sold to third
parties.

The reactions to the new privacy policy are diverse. Data protection and
IT law expert Orla Lynskey from the London School of Economics welcomed
the improved wording, but said that users can be justifiably concerned
by the implications to their privacy. “Its privacy policy is written in
clear and simple language,” adding that users might expect an anti-virus
provider to be “more respectful” of their privacy and data security.
Alexander Hanff, security expert and chief executive of Think Privacy,
stated that AVG's potential ability to collect and sell browser and
search history data places the company “squarely into the category of
spyware”.

AVG's new privacy policy is on the one hand more transparent than its
previous ones that intentionally blurred the line between collecting
data for malware tracking and using it for profit, which can be
considered as a step in the right direction. On the other hand, by
making its privacy policy easier to understand, the company shows more
openly how it is collecting and re-selling the data – which is an
activity that many would consider unethical for a security software
company with elevated privileges to the personal and “non-personal” data
of its clients.

AVG Privacy Policy
http://www.avg.com/gb-en/privacy-new

AVG can sell your browsing and search history to advertisers (18.09.2015)
http://www.wired.co.uk/news/archive/2015-09/17/avg-privacy-policy-browser-search-data

AVG’s new privacy policy is uncomfortably honest about tracking users
(17.09.2015)
http://www.pcworld.com/article/2984639/privacy/avg-s-new-privacy-policy-is-uncomfortably-honest-about-tracking-users.html

Is AVG planning to sell user data to advertisers following privacy
policy change? (17.09.2015)
http://www.computing.co.uk/ctg/news/2426528/anti-virus-firm-avg-comes-under-fire-over-privacy-policy

(Contribution by Pierre Christopher, EDRi intern)

On 20 May 2015, we published a collection of science fiction stories for
the 300th edition of EDRi-gram newsletter – the premise of the
collection was scenarios that we envisaged happening in 2025. We did not
imagine that one of the stories on data collection practices by health
insurers would be getting closer to reality already in 2015.

In July 2015, the Italian insurance company Generali revealed the
details of its “Vitality Programme”, which is planned to be rolled out
in Germany, France and Austria in 2016. The goal is the programme is to
find out what clients are buying, eating, and how often they go to the
gym. On its website, Generali describes the programme as follows:
To begin with, clients are encouraged to find out their personal health
and fitness levels. Then they decide on personal objectives during the
programme. The second step is to work towards these goals. Points are
awarded for the achievement of the milestones that clients can use –
depending on how many they've accumulated – to reach a new level.
According to the level, clients receive various discounts and vouchers.
Points can be collected through various options, such as going to
preventive medical appointments (…), fitness and movement as well as
buying healthy food.

In an interview with the German edition of the Technology Review, the
head of Generali Giovanni Liverani stated that "some basic data can be
entered into an App by clients themselves, such as age, weight, and
height. In addition, they can decide: Do I allow my gym to tell Generali
Vitality how often I went to the training sessions, or certain
supermarket chains to tell what type of food I bought. This data will
then be transmitted to the legally separate Generali Vitality company.”

Some clients, however, might be more reluctant to share their data -
along the lines of the Federal Trade Commission (FTC) Chairwoman Edith
Ramirez Thus who stated in 2013 that “information that is not collected
in the first place can’t be misused.” According to Liverani, clients who
are concerned about their privacy and decide not to participate in the
programme will not be “punished”. So, the good news is, the fact that
you are not getting benefits that others are getting is not, in
Generali's logic, a comparative disadvantage for you.

Technology Review: Tracking by insurance companies: We will not punish
you (only in German, 27.08.2015)
http://www.heise.de/tr/artikel/Tracking-durch-die-Versicherung-Wir-werden-Sie-nicht-bestrafen-2791079.html

EDRi-gram 300: Neuro-implant hack reveals secret deals between health
insurers and employment agencies (20.05.2015)
https://edri.org/edri-gram-300-digital-rights-news-2025/

Generali: Vitality programme
http://www.generali-deutschland.de/online/portal/gdinternet/de/content/311198/1150478

(Contribution by Kirsten Fiedler, EDRi)

The Popcorn Time software has become a popular way of watching movies
and TV shows online. The user is presented with an interface that has
the look and feel of established streaming services, such as Netflix. In
many cases, Popcorn Time is used to access content made available
without the authorisation of the rights-holders, but stopping the
copyright infringement is difficult due to the decentralised nature of
the underlying Bittorrent network. The website for the Popcorn Time
software contains no direct links to infringing material.

Rights-holders internationally have pursued a number of strategies
against Popcorn Time. This includes web blocking at the internet service
provider (ISP) level (eg. court orders in UK, Italy and Israel) and
legal actions against individual Popcorn Time users. Since the
underlying filesharing technology of Popcorn Time is Bittorrent, users'
IP addresses can easily be determined unless they protect their identity
with a Virtual Private Network (VPN) connection. In Germany and Denmark,
lawyers have unmasked the subscribers behind IP addresses with a court
order, and subsequently sent letters demanding compensation for
copyright infringement. In the Netherlands, the rights-holder
organisation Brein has managed to close six Popcorn Time “fan pages”
through private settlements with the operators of these websites.

On 19 August 2015, the palette of legal strategies took a worrisome turn
when two Danish citizens were arrested and charged with “distributing
information and instructions about illegal content”, according to public
statements given by the Danish Police. In both cases, the reason for the
arrest was ownership of a website containing information about how to
use the Popcorn Time software. The two websites, popcorntime.dk and
popcorn-time.dk, appear to have been created independently of each
other. Prior to the arrest the domains were seized as evidence in the
case, and both websites currently display a notice that they have been
seized by the the Danish State Prosecutor for Serious Economic and
International Crime (SØIK). Strangely enough, the web servers hosting
the real contents of the two Popcorn Time information websites are still
running one month after the arrest, and they can be accessed if one
knows the IP address of the server. The Domain Name System (DNS) records
for the domains, of course, point to the server run by SØIK.

The specific charges against the two unnamed individuals are also
mentioned on the seized websites. They are charged for contributing to
copyright infringement of a serious nature (Section 299 b of the Danish
penal code, which carries a maximum punishment of six years in prison).
Section 23 of the Danish penal code contains a fairly broad provision on
contributing to crimes committed by others through instigation or advice.

Neither of the websites contained any links to infringing material, only
general information about the Popcorn Time software, all of which is
available throughout the internet. The first hit when searching for
"Popcorn Time" on Google is the website where the Popcorn Time software
can be downloaded. Moreover, both websites contained a fairly clear
warning to their readers that the use of Popcorn Time could be illegal,
and that the material on the website should not be regarded as an
encouragement to commit copyright infringement. One of the websites
contained a link to the English website getpopcorntime.co.uk, which is
still running, and which essentially has the same content as the now
seized Danish website.

The prosecutor could perhaps argue that Popcorn Time is mainly used for
copyright-infringing activities, and that the information on the website
is advice to commit copyright infringement. In this case, the
contributing act would be towards unknown persons (that have read the
information on the website) and unspecified copyrighted works (as none
are mentioned). If Section 23 of the penal code can be interpreted this
broadly, it would have a seriously negative impact on freedom of speech.
Any public discussion of software that could be used illegally or where
the main use of the software is likely to be illegal, could potentially
lead to a charge for contributing to the crimes of others. This could
also affect internet intermediaries or their owners, as they could be
charged with contributing to any illegal activities by their user base.

The two Danes are charged with contributing to copyright infringement of
a serious nature, which usually involves activities on a commercial
scale. Immediately after the arrest, the Danish Rights Alliance, which
has close ties with SØIK, issued a press release claiming that both
websites had substantial advertising revenue. This seems highly unlikely
as the two websites were hosted on shared web servers with,
respectively, 50 and 500 other domains. Websites with a large number of
users generally run on dedicated servers in order to sustain the
traffic. There were some banner advertisements on the two websites, but
it is clearly worrying if minor advertising revenue by itself can be
considered "commercial-scale" in connection with claims of alleged
copyright infringement.

Police Arrest Men for Spreading Popcorn Time Information, Torrentfreak
(19.08.2015)
https://torrentfreak.com/police-arrest-men-for-spreading-popcorn-time-information-150819/

Popcorn Time “Fan Pages” Nuked By Anti-Piracy Outfit, Torrentfreak
(24.02.2015)
https://torrentfreak.com/popcorn-time-fan-pages-nuked-by-anti-piracy-outfit-150224/

EDRi-gram: Ex parte domain name seizures in Denmark (08.10.2014)
https://edri.org/ex-parte-domain-name-seizures-denmark/

Press release from the Danish Rights Alliance about the arrest (in
Danish only, 20.08.2015)
http://www.rettighedsalliancen.dk/2015/08/blokering-af-popcorntime-dk-og-popcorn-time-dk/

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

The European Commission has published its investor-state dispute
settlement (ISDS) reform proposal for the Transatlantic Trade and
Investment Partnership (TTIP), the EU-US trade agreement currently under
negotiation, and future trade agreements between the European Union and
third countries.

On the positive side, the reform proposal removes unfair procedural
advantages for the United States and tries to address some of the
concerns raised by the responses to the public consultation.

On the negative side, the reform proposal does not represent a rejection
of ISDS. It replaced the ISDS acronym with a new one, ICS, which stands
for Investment Court System. In fact, the proposal contains several
loopholes.

First, the reform proposal discriminates amongst investors, as it gives
foreign investors, and only foreign investors, the right to circumvent
domestic legal systems and use supranational adjudication to challenge
government decisions. Supranational adjudication places the development
of law outside democratic oversight.

Secondly, the reformed ISDS proposal contains procedural loopholes. If
adopted, the proposal would create perverse incentives. The adjudicators
would be paid per day worked and would be able to receive outside
remuneration. This creates incentives to give foreign investors value
for the money, as only foreign investors can start cases, leaving
domestic investors in a less advantageous position.

Thirdly, reform still fails to protect EU policy making. Democratic
societies have to be able to change course, for instance to reform their
copyright laws, or to effectively protect the privacy of their citizens.
The proposal would place for-profit supranational investment
adjudicators above democracies. The adjudicators would assess whether
democratic decisions are arbitrary from the point of view of the
protection of foreign investments. This creates major risks for
democracies and civil rights.

Finally, the European Commission undermines any possible positive
element in its reform proposal, as it still intends to keep the "old
ISDS" in trade agreements whose negotiations have been concluded, but
not yet ratified, such as the trade agreements with Canada and
Singapore. The result is that foreign investors would have the
possibility to route their investments into the EU through these countries.

From a rule of law perspective, a more valid solution would be to to
improve weak aspects of domestic legal systems. This would provide equal
access to the law, and would not remove democratic oversight of the
development of law. There are other ways for investors to achieve
additional certainty for their investments than ISDS; they can for
example take a political risk insurance.

European Commission's ISDS reform proposal
http://trade.ec.europa.eu/doclib/docs/2015/september/tradoc_153807.pdf

EU Commission's ISDS proposal a threat to democracy and civil rights
(20.09.2015)
https://blog.ffii.org/eu-commission-isds-proposal-a-threat-to-democracy-and-civil-rights/

Vrijschrift letter to European Parliament's international trade
committee on Commission's ISDS proposal (21.09.2015)
https://www.vrijschrift.org/serendipity/index.php?/archives/186-Vrijschrift-letter-to-EU-parliament-INTA-committee-on-commission-ISDS-proposal.html

(Contribution by Ante Wessels, EDRi member Vrijschrift, The Netherlands)

Support EDRi!
European Digital Rights fights for your right to privacy, freedom of
expression, modernisation of copyright rules, legal protection for net
neutrality and against new European proposals for mass surveillance. Our
work is only possible with the continued financial support of donors
like you!
https://edri.org/supporters/

Safe Harbour analysis: what today’s ruling might mean (23.09.2015)
http://www.irishtimes.com/business/technology/safe-harbour-analysis-what-today-s-ruling-might-mean-1.2363143

Plaintiff's reaction to Advocate General's Opinion on the Safe Harbor
agreement (23.09.2015)
http://www.europe-v-facebook.org/GA_en.pdf

DPLA, Europeana, Creative Commons Collaborate on International Rights
Statements
http://lj.libraryjournal.com/2015/06/digital-content/dpla-europeana-creative-commons-collaborate-on-international-rights-statements/#_

French data protection watchdog rejects Google’s search delisting appeal
(22.09.2015)
http://techcrunch.com/2015/09/21/french-data-protection-watchdog-rejects-googles-search-delisting-appeal/

28.09.2015, Brussels, Belgium
Trilogues and transparent law-making
http://www.ombudsman.europa.eu/en/activities/calendarevent.faces/en/1001/html.bookmark

01.10.2015, Brussels, Belgium
Internet as a Commons: Public Space in the Digital Age
http://www.greens-efa.eu/internet-as-a-commons-13850.html

10.10.2015, Berlin, Germany
Stop TTIP CETA Demo – protest for a fair world trade
http://ttip-demo.de/

13.10.2015, Strasbourg, France
Freedom of Expression: Still a precondition for democracy?
http://a.cs.coe.int/team81/mig/Conference_Freedom_of_expression_Strasbourg_2015/

15.10.2015, Brussels, Belgium
Big Brother Awards Belgium
https://bigbrotherawards.be

16.10.2015, Brussels, Belgium
Freedom not Fear
https://www.freedomnotfear.org/

16.10.2015, Brussels, Belgium
EDRi members meetup

28.10.2015, Amsterdam, The Netherlands
Dutch Big Brother Awards 2015
https://bigbrotherawards.nl/en_GB/over/

30.10.2015, Barcelona, Spain
Free Culture Forum 2015

30.10.2015, Barcelona, Spain
FCForum’15
http://fcforum.net/en/

04.11.2015, Warsaw, Poland
CopyCamp Conference 2015 – Understanding the Social Impacts of Copyright
http://copycamp.pl/en/

05.11.2015, Warsaw, Poland
The School of Rock(ing) EU Copyright
https://edri.org/the-school-of-rocking-eu-copyright/

06.11.2015, Erlangen, Germany
FIfF-Conference 2015: Commercialisation of the Soci(et)al – Markets and
Power in the Age of Total Datafication
http://www.fiff.de/

06.11.2015, London, United Kingdom
Mozilla Festival
https://2015.mozillafestival.org/

17.11.2015, Brussels, Belgium
EUhackathon
http://www.2015.euhackathon.eu/

27.12.2015, Hamburg, Germany
32C3
https://events.ccc.de

EDRi-gram is a fortnightly newsletter about digital civil rights in
Europe. Currently EDRi has 33 members based or with offices in 19
different countries in Europe. European Digital Rights takes an active
interest in developments in the EU accession countries and wants to
share knowledge and awareness through the EDRi-gram.

All contributions, suggestions for content, corrections or agenda-tips
are most welcome. Errors are corrected as soon as possible and are
visible on the EDRi website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/

Newsletter editor: Heini Jarvinen edrigram@edri.org

Information about EDRi and its members: http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in
the EU. If you wish to help us promote digital rights, please consider
making a private donation.
https://edri.org/donate/

- EDRI-gram subscription information
subscribe by e-mail
To: edri-news-request@mailman.edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request@mailman.edri.org
Subject: unsubscribe

- EDRI-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay.
Translations are provided by Metamorphosis
http://www.metamorphosis.org.mk/mk/vesti/edri

- EDRI-gram in German
EDRI-gram is also available in German, with delay. Translations are
provided by Andreas Krisch from the EDRI-member VIBE!AT - Austrian
Association for Internet Users
http://www.unwatched.org/

- Newsletter archive
Back issues are available at:
http://www.edri.org/newsletters/

- Help
Please ask edrigram@edri.org if you have any problems with subscribing
or unsubscribing.